Re: Re: Tracking down anonymous user

[levinson_k () securityadmin info]

This is correct.  Internal emails do often show no headers, for example when SMTP is not used to transmit email between 
two servers.  Are these two users on the same email server, and do users typically use protocols other than SMTP, such 
as POP3 or IMAP, to send outbound emails from the mail client to the server?  If so, then there won't be any SMTP 
headers.  

How exactly do you know this account was used to send this email?  I hope you're not relying on the "FROM:" field, as 
this can easily be forged.  Someone on your internal network can use Telnet or drop a text file onto your Exchange 
server to send an email with a spoofed From: field.

It is possible to enable more detailed "Diagnostic Logging" to track email sent and received via protocols other than 
SMTP, but I'm not sure this is enabled by default.  Your Exchange server documentation should have more details on the 
log file location and default logging levels for whatever protocols were used to transmit this email from the client 
and between mail servers if any.  I had trouble googling Microsoft for a description of "Diagnostic Logging" for all 
Exchange 2003 protocols, but here's how to change the level for POP3 connections:

http://support.microsoft.com/kb/885685

Presumably either you haven't discovered where on the server these log files are kept, or the server wasn't logging 
that data at the time this email was sent, and the logged information would not be retrievable that way.  You'd then 
have to hope a log file on another system captured the incident, such as a workstation, domain controller, IDS, etc.

kind regards,

Karl Levinson
http://securityadmin.info